... | ... | @@ -1406,20 +1406,15 @@ by the next Debian release, around summer 2024. |
|
|
|
|
|
TODO: propose a solution to resolve the issues with ud-ldap
|
|
|
|
|
|
## Cost
|
|
|
|
|
|
This would be part of the running TPA budget.
|
|
|
|
|
|
## Alternatives considered
|
|
|
|
|
|
TODO: evaluate LDAP control panels?
|
|
|
TODO: propose a solution to resolve the issues with ud-ldap
|
|
|
|
|
|
TODO: evaluate what parts of ud-ldap could be replaced with Puppet.
|
|
|
|
|
|
TODO: evaluate what users need a shell for - maybe it can all be moved
|
|
|
to containers?
|
|
|
|
|
|
brainstorm:
|
|
|
### brainstorm:
|
|
|
|
|
|
* static sites -> gitlab pages?
|
|
|
* apps deployement like onionoo -> containers?
|
... | ... | @@ -1429,3 +1424,65 @@ brainstorm: |
|
|
|
|
|
maybe we can get rid of most users and then get rid of LDAP, in the
|
|
|
long term?
|
|
|
|
|
|
## Cost
|
|
|
|
|
|
This would be part of the running TPA budget.
|
|
|
|
|
|
## Alternatives considered
|
|
|
|
|
|
The LDAP landscape in the free world is somewhat of a wasteland,
|
|
|
thanks to the "embrace and extend" attitude Microsoft has taken to the
|
|
|
standard (replacing LDAP and Kerberos with their proprietary Active
|
|
|
Directory standard).
|
|
|
|
|
|
### Replacement web interfaces
|
|
|
|
|
|
* [eGroupWare][]: has an LDAP backend, probably not relevant
|
|
|
* [LDAP account manager][]: self-service interface non-free
|
|
|
* [GOsa][]: "administration frontend for user administration"
|
|
|
* [phpLDAPadmin][]: like phpMyAdmin but for LDAP, for "power users",
|
|
|
long history of critical security issues
|
|
|
* [web2ldap][]: web interface, python, still maintained, not exactly intuitive
|
|
|
|
|
|
It might be simpler to rewrite `userdir-ldap-cgi` with [Django][], say
|
|
|
using the [django-auth-ldap][] authentication plugin.
|
|
|
|
|
|
[web2ldap]: https://web2ldap.de/
|
|
|
[eGroupWare]: https://www.egroupware.org/en/
|
|
|
[phpLDAPadmin]: http://phpldapadmin.sourceforge.net/
|
|
|
[GOsa]: https://github.com/gosa-project/gosa-core
|
|
|
[LDAP account manager]: https://www.ldap-account-manager.org/lamcms/
|
|
|
|
|
|
### commandline tools
|
|
|
|
|
|
* [cpu][]: "Change Password Utility", with an LDAP backend, no
|
|
|
release since 2004
|
|
|
* [ldapvi][]: currently in use by sysadmins
|
|
|
* [shelldap][]: similar to ldapvi, but a shell!
|
|
|
* [splatd][]: syncs `.forward`, SSH keys, home directories, abandoned
|
|
|
for 10+ years?
|
|
|
|
|
|
[splatd]: https://github.com/threerings/splatd
|
|
|
[shelldap]: https://hg.sr.ht/~mahlon/shelldap
|
|
|
[ldapvi]: http://www.lichteblau.com/ldapvi/
|
|
|
|
|
|
### others
|
|
|
|
|
|
* [LDAP synchronization connector][]: "Open source connector to
|
|
|
synchronize identities between an LDAP directory and any data
|
|
|
source, including any database with a JDBC connector, another LDAP
|
|
|
server, flat files, REST API..."
|
|
|
* [Keycloak][]: single-sign-on interface which talks with LDAP
|
|
|
* [FreeIPA][]: similar, except built on top of 389 DS, the Fedora
|
|
|
LDAP thing
|
|
|
* [LDAPjs][]: pure Javascript LDAP client
|
|
|
* [GQLDAP][]: GTK client, abandoned
|
|
|
|
|
|
[Django]: https://www.djangoproject.com/
|
|
|
[django-auth-ldap]: https://pypi.org/project/django-auth-ldap/
|
|
|
[GQLDAP]: https://sourceforge.net/projects/gqclient/
|
|
|
[LDAPjs]: http://ldapjs.org/
|
|
|
[FreeIPA]: https://www.freeipa.org/
|
|
|
[Keycloak]: https://www.keycloak.org/
|
|
|
[LDAP synchronization connector]: https://lsc-project.org/doku.php |